[OpenAFS] optaining a token after openssh GSSAPI credential-delegation

Alexander Bergolth leo@strike.wu-wien.ac.at
Sun, 11 Sep 2005 15:18:52 +0200


I'm using GSSAPI credential-delegation to forward my kerberos 5 
tgt-ticket when initiating an openssh session.

GSSAPI-authentication and ticket forwarding works file but now I'm 
looking for a way to obtain an AFS-token from the TGT to be able to 
enter my home-directory which resides in AFS. I don't want to do that 
using aklog in the shell-profile, I'd prefer something like a pam-module.

I've tried to use a pam-session entry containing the prm_krb5 module but 
it looks like this module requires a pam-stash in the session stage, 
that is initialized in the auth-stage. If GSSAPI-authentication is used, 
the auth stage isn't used and therefore the session setup is skipped.

Sep 11 15:02:27 roaster sshd[5837]: pam_krb5[5837]: no v5 creds for user 
'bergolth', skipping session setup

Is there a pam_module that obtains a token from an krb5 ticket in the 
session stage without needing an auth stage?

Btw.: Maybe there is a second problem: I've straced the sshd 
login-process and it looks like the KRB5CCNAME environment variable is 
set (by another thread) _after_ the pam-session modules are executed. 
(See the strace excerpt below.)

Any help would be greatly appreciated.


# egrep 'no v5|krb5cc|clone' /tmp/urxn.txt
open("/tmp/krb5cc_5020_WO5082", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) 
= 12
unlink("/tmp/krb5cc_5020_WO5082")       = 0
open("/tmp/krb5cc_5020_WO5082", O_RDWR|O_LARGEFILE) = 12
clone(Process 5083 attached
[pid  5083] send(10, "<39>Sep 11 13:28:30 sshd[5083]: pam_krb5[5083]: no 
v5 creds for user \'bergolth\', skipping session setup", 103, 
[pid  5083] write(2, "debug1: Setting KRB5CCNAME to 
FILE:/tmp/krb5cc_5020_WO5082\r\n", 60 <unfinished ...>
[pid  5082] <... read resumed> "debug1: Setting KRB5CCNAME to 
FILE:/tmp/krb5cc_5020_WO5082\r\r\n", 16384) = 61
[pid  5083] write(2, "  KRB5CCNAME=FILE:/tmp/krb5cc_5020_WO5082\n", 42 
<unfinished ...>
[pid  5082] <... read resumed> "Environment:\r\n 
KRB5CCNAME=FILE:/tmp/krb5cc_5020_WO5082\r\n  USER=bergolth\r\n 
LOGNAME=bergolth\r\n  HOME=/afs/wu-wien.ac.at/home/edvz/bergolth\r\n 
PATH=/usr/local/bin:/bin:/usr/bin\r\n  MAIL=/var/mail/bergolth\r\n", 
16384) = 204
[pid  5083] clone( <unfinished ...>
[pid  5083] <... clone resumed> child_stack=0, 
child_tidptr=0xb7f9c708) = 5084
write(2, "debug1: removing gssapi cred 
file\"/tmp/krb5cc_5020_WO5082\"\r\n", 60debug1: removing gssapi cred 
unlink("/tmp/krb5cc_5020_WO5082")       = 0

Alexander.Bergolth@wu-wien.ac.at                Fax: +43-1-31336-906050
Zentrum fuer Informatikdienste - Wirtschaftsuniversitaet Wien - Austria